Application Security News for October 2016

This month, we introduce our new podcast, Between Two Teeth. This regularly scheduled podcast will feature discussions and opinions on various security related topics from the previous month. This month’s hosts are Anshuman Singh and Nitzan Miron. You can listen to the podcast in the player above.

This month’s topics: the Mirai botnet and the attack on DynDNS; how necessity led one person to discover a vulnerability in Paypal's 2FA and news on Magento eCommerce vulnerabilities leading to 6000 sites being hacked; How simply turning on HTTPS does not fully protect you and your site's visitors and more.

Earlier this month, the Department of Justice unsealed a criminal complaint against a contractor for the National Security Agency, alleging the theft of highly classified information. Like Edward Snowden in 2013, Harold Thomas Martin III, 51, of Glen Burnie, Maryland, worked for Booz Allen Hamilton and is accused of exploiting his insider access in order to remove classified files….

There’s no doubt that 2016 has been a massive year for security breaches. We’ve seen data breaches affecting large retailers, social media platforms and even political campaigns. In this article I’m going to give you the list of what I believe to be…

Virginia Sen. Mark Warner sent letters to the Federal Communications Commission, Federal Trade Commission and the Department of Homeland Security’s National Cybersecurity & Communications Integration Center about his “growing concern” over the “unprecedented” volume of DDoS attacks driven by the Marai botnet exploiting connected devices.

“[O]ver 500,000 connected devices were vulnerable to Mirai because of an exploitable component from a single vendor’s management software,” Warner wrote. “Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support.”

“I am interested in a range of expert opinions and meaningful action on new and improved tools to better protect American consumers, manufacturers, retailers, Internet sites and service providers,” Warner said.

Security firm Arbor Networks noticed that several hackers “have been observed customizing and improving the attack capabilities of the original botnet code,” according to a blog post published on Thursday.

A dry run for a high school literacy test in Ontario was cancelled last week after being sabotaged with a cyber attack, affecting thousands of grade 10 students, the organization that oversees the test announced on Monday.

According to the province’s Education Quality and Accountability Office (EQAO), which plans on administering the test online in March in a digital first, the pilot was scuttled after being targeted by a “intentional, malicious and sustained” distributed denial of service attack, or DDoS. The attack could have affected up to 150,000 students who were registered at schools that volunteered to participate in the trial, and only 16,000 were able to complete the test before it was taken offline.

The Office of Personnel Management repels 10 million attempted digital intrusions per month—mostly the kinds of port scans and phishing attacks that plague every large-scale Internet presence—so it wasn’t too abnormal to discover that something had gotten lucky and slipped through the agency’s defenses.

On Saturday, September 24, the Shellshock bug turned two, but threat actors haven't forgotten about it just yet, with a fairly decent amount of Shellshock scans taking place on a regular basis, according to telemetry data gathered by IBM X-Force.

Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall and Barracuda Load Balancer ADC. His current areas of focus are Cloud and automation. His prior roles ranged from leading networking product testing teams and technical marketing for HCL-Cisco. Tushar closely tracks the rapidly increasing impact of digital security and is passionate about simplifying digital security for everyone.